Top 10 Companies That Let You Cert Up on Their Dime

Im realizing that my cybersecurity cert goals are pacing slower than Id like. I want to head into pentesting and working to build a solid foundation of certs and new experience. however, with a busy workday and a company who doesnt train, im looking for a list of companies who do in fact place heavy emphasis on acquiring new certs and skills. Id love a company who would invest in Sans Security up to the GPEN or OSCP level. Can anyone help point me in the right direction? thx

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

cyberguypr

Having racked up $15k in training last year you can tell this is pretty high in my priority list. I don't think you can come up with such list because this is very company specific and there's not enough people on this board to have a good sample. Even if we produced such a list, you can't realistically circumscrbe your job search to just 10 companies based on training resources. If this is important to you it must be sorted out at interview time and factored in when evaluating an offer. Any decent employer will value your interest for professional growth and will let you know what they can do to help.

iBrokeIT

If you aren't currently a pentester why should your current company foot the bill for your career change and what value does that provide them?

I think you are overly focused a narrow slice of the total compensation package. If I gave you a list of companies that provided 1 SANS training class a year but you had to take a $20k pay cut to make the move into one their open positions that wouldn't make much sense would it?

Also, if you aren't willing to invest your own money into your career change, why should anyone else? I understand the SANS training cost but the OSCP could be obtain for $1k or less and would go a long ways towards your marketability during the transition.

powerfool

Consulting companies. You are the product, they need to invest in you. That is where I have seen training dollars. Outside of that, vendors that have training vouchers for licensing and such are the next place I see training... but that limits what is available drastically.

OctalDump

I think any company that is a vendor partner would likely be a good start for getting free/cheap training for that vendor. SANS/GIAC is probably tougher, since they aren't a vendor like MS or Cisco. Some MSPs and Consultancies are also big on certifications as part of their marketing.

Another option might be to work for a training company as a trainer. Since trainers typically need to be certified in what they are training, the training company will push for you to be trained.

I am guessing that it might not just be about money for you, but also time. If you can build a business case why your employer should train you (it can't be that hard, can it?), maybe you can convince them. If you can't, you can likely use that same business case with another employer. An employer isn't going to spend money if they don't see a (good) ROI.

docrice

There are probably lots of companies that would sponsor for training (as well as many who don't). Given the increasing prominence of security in the corporate mindset, training is likely going to be justifiable in many places who have avoided it in the past.

Years ago I took SANS training on my own dime, but I ended up in a company that pays for one course every year. Interestingly, it's now mandatory that I take some sort of role-based training, so I don't exactly have an option of not taking classes. When dealing with customers, it helps to tell them our staff is continuously trained to stay up-to-date and it provides assurance that we "take our cybersecurity seriously" or whatever corporate-speak is used.

roninkai

Thanks for the input. Its not that my company wont spend the money, its just a huge company and I'm a contractor. So even asking for training is really out of the question. This may just be a stepping stone. I like the idea of working for a training company, like CBT Nuggets, etc...Im closing an 8 year gap from having stepped away from cyber, so getting certs is in focus. But other certs like Linux+, CCNA Security, and OSCP are on my radar to round out my knowledge as Im weaker in the Linux/Cisco areas, and ultimately want to have a solid base for pen testing. I'll surely do OSCP on my own but if I can find a company that provides good training, I'll go for it. Self-study is fine, but sometimes resources are lacking for technical certs needing more lab action.

TechGromit

dragonsden wrote: »

Id love a company who would invest in Sans Security up to the GPEN or OSCP level. Can anyone help point me in the right direction? thx

Any company that is Electrical Energy related. There are government mandates that require companies that produce and distribute electricity to meet FERC and NERC cyber security requirements. These companies are struggling to meet the requirements and have been spending lots of money on training. I've worked for my company for less then two years, and since then I have had training on networking, firewalls, and cyber security, I estimate they spent 17k on training alone, not including travel, hotel and meals. I have training for Blackhat coming up, that's another 7 grand. So look for openings in companies like Duke Energy, Pacific Gas & Electric, Southern California Edison, Florida Power & Light, etc.

The government is another good bet, if you can in as a Federal Employee, they give lots of training. All the SANS courses I've taken so far, more than half the students worked for the Federal government.

Unfortunately the chances of getting hired by one of these employers is kinda like winning the lottery.

636-555-3226

Large companies where you're on the security team and higher up on the food chain.

I've had success in the past with paying for it yourself but getting some tax savings. get your job description amended to include a provision requiring (in this case) security training, possibly even mentioning specific companies or specific certs. so now on paper your employer requires you to have the training you want and the cert, but of course you already know they wont pay for it. pay for it yourself but then claim it as an unreimbursed business expense on your taxes. required by the employer but you pay for it yourself. tricky, dangerous, but it has worked in the past for a few people i know.

apr911

Most companies now days offer some training benefits free and clear. How much of a benefit really depends on the company. Larger companies usually have a larger budget for training than a smaller one would but a good mid-sized company will probably work well too...

Depending on how much training you need, it may require some form of commitment on your part. One company I worked for would take you from a CCNA to a CCIE:Security paying for all the required training, paying you during training, paying for lab gear/time and paying for all the exams but they required you to sign a contract agreeing to remain with the company for at least 18 months upon completion or repay the company some sum of money.

Since the company would pay for the exams on a passing score anyway, most people opted to go the self-study route on their own time for most of it. Depending on how motivated they were, it'd only take them 2-3 months longer than the group going through the offered training with much more flexibility career-wise and only a marginal increase in cost.

That being said, if you're in the field or have previous experience, getting you to the SANS GPEN or OSCP level probably wouldn't require much and most companies would probably include it in their normal training budget. My CISSP was covered by my job at no cost to me and I wasn't even in a security role at the time... Granted, I self-studied for the exam so they didnt have to send me for training but that was only because CISSP training courses almost always filled up the same day they were announced and working on an after-hours shift, I wouldn't find out one was being offered until well after it was full and after missing 3 consecutive training opportunities in 4 months, I finally decided to see how far I'd get on my own by the time the next one was offered I had already taken the exam and passed.